[thelist] Avoiding SQL Injection
kris burford
kris at midtempo.net
Mon Mar 21 13:12:08 CST 2005
>I understand what SQL Injection is, and have read some articles on
>it. The one thing I'm not quite sure of is how restrictive I need to be
>in a form input field which should allow free-form text. I will be
>putting this into a database table for suggestions.
>
[snip]
this is the function i call to do this. hope it helps.
kris
function my_htmlspecialchars($t="")
{
// Use forward look up to only convert & not {
$t = preg_replace("/&(?!#[0-9]+;)/s", '&', $t );
$t = str_replace( "<", '<' , $t );
$t = str_replace( ">", '>' , $t );
$t = str_replace( '"', '"', $t );
$t = str_replace( "'", ''', $t );
return $t;
}
More information about the thelist
mailing list